This blog is about the Linux Command Line Interface (CLI), with an occasional foray into GUI territory.
Instead of just giving you information like some man page, I hope to illustrate each command in real-life scenarios.

Search This Blog

Tuesday, August 26, 2014

This post addresses how to configure the Linux firewall to protect a Debian-based web application server.
While there are GUI tools for the job, we will focus on the command-line tool iptables.

The scenario is that you have just installed Debian (or Ubuntu) on a server connected to the Internet.
This will be used as a web server hosting your WordPress blog.
I assume that you already have Apache, and WordPress installed. Please refer to
my earlier post for instructions on how to install WordPress on Debian.

Basic Requirements

Before we build the firewall, let's write down the basic requirements - the types of traffic the machine will accept and those it will drop.

Accept all outbound traffic (from server to the Internet).

Accept all traffic from the loopback(lo) interface, which is necessary for many applications.

Accept inbound ssh logins.

Accept inbound Web requests.

Accept inbound ping requests.

Log firewall-specific warnings.

Build firewall

Please follow the order of the steps below. The procedural order is designed to minimize the chance of locking yourself out by mis-configuring the firewall.

Log in to the server either on the physical console or remotely via ssh.

The physical console is better because then you don't need to worry about being locked out. However, it is not always possible to access the console because the machine may be sitting afar in a data center.

The above rule accepts any incoming traffic that is part of, or related to, an existing connection. If you are currently logged in via a remote ssh session, this rule prevents you from being locked out. So, it is important that you create it first.

Add rule # 2.

$ sudo iptables -I INPUT 2 -i lo -j ACCEPT

This rule accepts all traffic from the loopback interface (localhost/127.0.0.1).

All incoming traffic that are not accepted by any prior rule get logged at a maximum rate of 2 entries per minute. The default log file is /var/log/messages. For easy identification, the log entries are prefixed with the string 'Input:Drop:'.

Change default INPUT and FORWARD policies to DROP.

With the policy change, all incoming traffic not explicitly accepted by any of the above rules are dropped.

$ sudo iptables -P INPUT DROP
$ sudo iptables -P FORWARD DROP

Your basic firewall is complete. You can view the newly created firewall rules via the following:

Save firewall

The firewall that you just created will not persist. If you reboot the server, the firewall will revert to the default configuration - accept all traffic - before you made all the above modifications. To save the firewall changes permanently,

Install iptables-persistent package.

$ sudo apt-get install iptables-persistent

Make an explicit save.

After you finish modifying the firewall, you need to explicitly save the firewall configuration in the file /etc/iptables/rules.v4 using the command below.

$ sudo sh -c "iptables-save > /etc/iptables/rules.v4"

Custom log file

The above firewall logs all dropped incoming traffic to the general system log file /var/log/messages. To avoid cluttering the file, I recommend sending the iptables-related log entries to a separate file, say /var/log/iptables.log. This is possible because iptables-related log entries are prefixed with a custom identifier - 'INPUT:DROP:'.

Create a rsyslog rule to redirect firewall log entries.

A new file /etc/rsyslog.d/10-iptables.conf is created to hold the rsyslog rule.

Tuesday, August 19, 2014

Many Linux commands accept command-line options and positional parameters.
The grep command searches for a pattern in a given file.
Its 2 positional parameters are the pattern and the filename.
It accepts options such as -i which specifies that the search is case insensitive.

An interesting scenario is when a positional parameter has a value starting with a dash ('-'). This makes the parameter indistinguishable from an option.
For example, you try to grep the string -tea in a given file.

Sunday, August 10, 2014

In the world of affordable, dual 27-inch monitors, the GNOME virtual screen feature (aka workspaces) may not hold the same prominent position as before. But, to people like myself who still operate machines equipped with only a single 19-inch monitor, using workspaces effectively is still a big productivity booster.

Below are some tips for using GNOME Classic workspaces.

Tip 1: Change # of default workspaces

By default, the GNOME desktop has 4 workspaces available. The default number can be changed. I, for one, would like to decrease the number of workspaces to 2. I hardly ever need more than 2. With 4 workspace icons spanned out at the bottom of the GNOME Classic screen, I often accidentally click on the wrong one.

To change the default number of workspaces, first install the wmctrl tool. (This tool is also featured in my previous post on how to change window manager.)

$ sudo apt-get install wmctrl

To modify the number of workspaces to 2:

$ wmctrl -n 2

Note that the change takes effect immediately. Also, the change persists after you log out of GNOME.

Tip 2: Keyboard shortcuts to move window to another workspace

Move focus to the window that you want to move. This can be achieved by simply clicking inside that window.

Press the Shift+Ctrl+Alt+RightArrow keys to move the window one workspace to the right.
Similarly, press the Shift+Ctrl+Alt+LeftArrow keys to move one workspace to the left.

Tip 3: Keyboard shortcuts to switch workspaces

Before I learn of the keyboard shortcuts, I always mouse over to the workspace switcher app at the bottom of the GNOME Classic screen. From there, I can either click a workspace icon, or scroll using the mouse's scroll wheel, to switch to the target workspace.

If you prefer keyboard shortcuts to the mouse,

press the Ctrl+Alt+RightArrow keys to switch to the workspace on the right of the current workspace, or

press the Ctrl+Alt+LeftArrow keys to switch to the workspace on the left.

Tip 4: Customizing keyboard shortcuts

You can view the entire list of GNOME keyboard shortcuts, and even customize them according to your personal preferences.

Open System Settings.

$ gnome-control-center

You can also open System Settings from the user menu in the top right corner.

Open Keyboard / Shortcuts / Navigation.

Change keyboard shortcut.

To edit a keyboard shortcut, click to select the corresponding row. Note that a new label is displayed: New accelerator. Press the new keyboard shortcut keys.

Monday, August 4, 2014

Google recently announced the beta release of the Chrome Remote Desktop for Linux.
It allows you to remotely connect to a Linux machine from within the Chrome browser. Judging from the early comments in the Google product help forum, setting up the Chrome Remote Desktop on a Linux machine is still rather quirky for certain configurations. This post details my experience of successfully installing and setting up Chrome Remote Desktop to connect from an Android device to a Debian Wheezy machine.

Install on Debian

Install Google Chrome.

The official Debian Wheezy repository includes the Chromium browser, which is the unbranded, open-sourced version of Chrome. To avoid any compatibility issues, download the official Google Chrome browser package directly from the Google product page. Then, install it as follows:

Create the file ~/.chrome-remote-desktop-session, which contains the command to start your preferred desktop environment. You may look up the command in the corresponding desktop file located in the /usr/share/xsessions directory. For instance, if the desktop is GNOME, look up the Exec command in
/usr/share/xsessions/gnome.desktop.

$ grep '^Exec=' /usr/share/xsessions/gnome.desktop
Exec=gnome-session

Note that gnome-session - the text after 'Exec=' - is the command to start the virtual session.
Insert the command to ~/.chrome-remote-desktop-session as follows:

$ cat > ~/.chrome-remote-desktop-session
exec gnome-session

Change screen resolution (optional).

By default, the screen resolution of the remotely-connected virtual desktop is 1600 x 1200 pixels. To modify the default resolution, append a line to ~/.profile. For instance, to make it 1024 x 768,